Agencies slowly gain ground on continuous monitoring

Survey finds the practice gaining traction, but there are still laggards

By William Jackson

Sep 20, 2010

Continuous monitoring for vulnerabilities and configuration errors in IT systems is an accepted best practice. It is the standard for agencies in the Federal Information Security Management Act and is recommended in the Consensus Audit Guidelines, a set of security priorities developed by government and industry organizations. The practice has quickly gained traction. But according to a recent survey, it is still far from universal.

“There is both good news and bad news in the numbers,” said Elizabeth Ireland, vice president of strategy at nCircle, a vendor of compliance-auditing tools that conducted the survey.

The good news is that more than half — 57 percent — of the respondents said they are monitoring networks continuously for vulnerabilities and another 13 percent are scanning at least weekly. But only 39 percent are doing continuous scans for compliance with configuration requirements such as the Federal Desktop Core Configuration. Again, 13 percent are doing those scans at least weekly.

More disturbing is that 31 percent of respondents are not resolving the problems that the scans identify, which pretty much defeats the purpose of monitoring. Of those not fixing problems, 44 percent said they don’t have the resources for the job, but another 29 percent of those not fixing problems — 9 percent of all respondents — said it is not a management priority.

Apparently, fixing security holes is just not very important to about 9 percent of those responding to the survey. That is a minority but is still a surprisingly large percentage.

As with any survey, there are some caveats with this one. The results are based on 101 respondents who filled out a Web questionnaire. This is a relatively small, self-selected group that responded to invitations from nCircle to take the survey. And it is difficult to say how many were from government. “We were targeting primarily government,” Ireland said, because that is where much of the impetus for continuous monitoring is coming from. But there are no figures that break down the number of public- and private-sector respondents.

However, the results illustrate the difficulties in establishing a good, simple security practice such as continuous monitoring.

First, the phrase “continuous monitoring” is open to interpretation. It seldom, if ever, means the ability to keep an eye on everything all of the time. It usually is a successive scan that repeats continuously, much like a radar beam that continuously scans a segment of the 360-degree landscape over and over. How often any particular segment of the landscape is scanned depends on the size of the network, speed of the tools and number of parameters being looked at.

And having the tools does not necessarily make it easy to do the monitoring. The start-up usually is a process of scanning, discovering problems, addressing problems and then scanning again.

“It takes time for an organization to put into place the processes that allow [it] to do something” with the data being generated, Ireland said. So the monitoring process proceeds in fits and starts until it approaches something that can be called continuous.

At this stage of the game, it makes sense to look at this cup as half full rather than half empty. Let’s hope that the tap is still open and the cup will continue filling. Continuous monitoring is a process, not a panacea, and progress is under way.